This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

What is the Best Practice to block iCloud relay?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

What is the Best Practice to block iCloud relay?

phampx
L0 Member

‎10-10-2025 08:10 AM - edited ‎10-10-2025 08:10 AM

What is the best practice method to block iCloud relay without impacting iOS users too much? Apple says to NXDOMAIN the following below. 

mask.icloud.com
mask-h2.icloud.com

Prepare your network or web server for iCloud Private Relay - iCloud - Apple Developer


For the PA though,... should we... create a policy to block, deny or use a URL custom block object rule?

These are some other domains/FQDN I have found:

 

0 Likes Likes
2 REPLIES 2

JayGolf
Community Team Member

‎10-12-2025 01:28 PM - edited ‎10-12-2025 01:43 PM

Hi @phampx ,

 

I would recommend leveraging dns sinkholing at the Palo instead of nxdomain at the DNS level. You can accomplish this via an EDL (Domain List) tied to an AS profile that is referenced in a security policy. DNS sinkholing via the Palo achieves the same effect, but with visibility and logging, which you don't get at the DNS level. Also, DNS sinkholing over URL Filtering/ FQDN-based blocking is efficient in that the fw stops the request at DNS lookup so it doesn’t need to build a full session compared to URL Filtering/fqdn object.

 

  1. You can easily create an EDL using a simple .txt file hosted in a location accessible to the firewall (internal web server/S3 or Cloud storage/GitHub raw link,etc) and enter the private relay domains you have. 
  2. Add the EDL (Type: Domain List) under Objects -> External Dynamic Lists and set it to refresh as you desire (hourly is the fastest).
  3. Reference it in an Anti-Spyware profile -> DNS Policies tab, and set Action = Sinkhole.
  4. Attach that profile to the security rule handling outbound DNS traffic, preferably before your general internet security policy or any policy that has url filtering attached. ** iCloud Private Relay domains are typically categorized by PAN-DB under "Proxy Avoidance and Anonymizers" and might be blocked if you have that enabled.

 

**Side Note (if you choose to block via Security Policy instead of Sinkhole)...

Blocking via FQDN objects in a security policy would be simpler and have the same effect as URL Filtering in this case since you're not needing wildcards and only targeting domains like "mask.icloud.com" and "mask-h2.icloud.com", rather than something like mask.icloud.com/private-relay/api/init. Full URL path-based blocking would require url filtering w/ SSL decryption to inspect the HTTP path inside the TLS session. 

 

 

LIVEcommunity team member
Stay Secure,
Jay
Don't forget to Like items if a post is helpful to you!

Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.
0 Likes Likes

BPry
Cyber Elite
Cyber Elite

‎10-16-2025 07:24 AM

@phampx,

If this is for managed devices you can simply set allowCloudPrivateRelay and it will ensure that it is disabled on the device itself which is the most effective way to manage things. 

 

If you block mask.icloud.com or mask-h2.icloud.com on devices that you don't manage, this will cause noticeable impact to your Apple endpoints. There's no way around this block triggering a delay for these endpoints; Apple has made changes so that blocking these requests doesn't cause as big of an impact as it did initially when this feature launched, but people will still notice 'slowness' since it will always attempt to utilize Private Relay first and then need to fallback to normal communication. 

0 Likes Likes
  • 352 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks